2016-05-27 - RIG EK SENDS TOFSEE

ASSOCIATED FILES:

• ZIP archive of the pcaps:  2016-05-27-Rig-EK-pcaps.zip   307.7 kB (307,720 bytes)

• 2016-05-26-Rig-EK-sends-Tofsee.pcap   (231,993 bytes)
• 2016-05-27-Rig-EK-first-run.pcap   (47,826 bytes)
• 2016-05-27-Rig-EK-second-run.pcap   (251,008 bytes)

• ZIP archive of the malware and artifacts:  2016-05-27-Rig-EK-malware-and-artifacts.zip   243.9 kB (243,880 bytes)

• 2016-05-26-Rig-EK-flash-exploit.swf   (182,13 bytes)
• 2016-05-26-Rig-EK-landing-page.txt   (4,990 bytes)
• 2016-05-26-Rig-EK-payload-Tofsee.exe   (188,416 bytes)
• 2016-05-27-Rig-EK-flash-exploit.swf   (37,906 bytes)
• 2016-05-27-Rig-EK-landing-page-first-run.txt   (4,982 bytes)
• 2016-05-27-Rig-EK-landing-page-second-run.txt   (4,982 bytes)
• 2016-05-27-Rig-EK-payload-Tofsee.exe   (184,320 bytes)

 

TRAFFIC

Shown above:  Pcap of the 2016-05-26 traffic filtered in Wireshark.

Shown above:  Pcap of the 2016-05-27 traffic (first run) filtered in Wireshark.

Shown above:  Pcap of the 2016-05-27 traffic (second run) filtered in Wireshark.

ASSOCIATED DOMAINS:

• 109.95.159.1 port 80 - questart.com.pl - GET /wp-content/themes/twentyfourteen/xtrfgdb7.php?id=15768376   [gate to Rig EK]
• 46.30.43.128 port 80 - ds.filipinoaustralianforum.com - Rig EK (2016-05-26)
• 46.30.43.249 port 80 - mj.philippinesgetaway.com.au - Rig EK (2016-05-27)

 

FINAL NOTES

Once again, here are the associated files:

• ZIP archive of the pcaps:  2016-05-27-Rig-EK-pcaps.zip   307.7 kB (307,720 bytes)
• ZIP archive of the malware and artifacts:  2016-05-27-Rig-EK-malware-and-artifacts.zip   243.9 kB (243,880 bytes)

ZIP files are password-protected with the standard password.  If you don't know it, look at the "about" page of this website.

Click here to return to the main page.